IN THE CLAIMS 



This listing of claims will replace all prior versions, and listings, of claims in the 
application: 
Listing of Claims: 

1. (Currently Amended) A method for protecting a computer environment, comprising: 

providing an archive index that includes for each of one or more stored 
objects a corresponding archive index entry indicative of a state of the stored object at an 
archive time with which the entry is associated ; 

comparing a first e v e nt with the archive index a system index generated at 
a system index time subsequent to the archive time ; 

det e rmining wh e th e r th e generating based on the comparison a first event 
is unusual if the comparison indicates that a first stored object associated with the system 
index has been modified since the archive time ; and 

determining whether a s e curity incid e nt associated with correlation exists 
between the first event and a second event generated in connection with a monitoring 
process associated with the computer environment has occurred . 

2. (Original) A method for protecting a computer environment as recited in Claim 1, 

wherein the first event indicates that a file has been modified. 

3. (Currently Amended) A method for protecting a computer environment as recited in 
Claim 1, wherein determining whether the first event is unusual comparing includes looking up 
an identifier of a file in the archive index ; and wherein the file is associated with th e first event . 

4. (Original) A method for protecting a computer environment as recited in Claim 3, 
wherein the identifier includes a signature. 

5. (Original) A method for protecting a computer environment as recited in Claim 3, 
wherein the identifier includes a signature generated by a hash function. 
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6. (Original) A method for protecting a computer environment as recited in Claim 3, 
wherein the identifier includes a signature generated by a checksum function. 

7. (Currently Amended) A method for protecting a computer environment as recited in 
Claim 1, wherein the first event indicates that a file has been modified, and determining wheth e r 
the file modification is unusual comparing includes comparing a number of occurrences of the 
file in the index with a threshold. 

8. (Original) A method for protecting a computer environment as recited in Claim 1, 
wherein the first event indicates that a file has been modified, and d e termining wh e ther the 
s e curity incident a s sociat e d with the first event has occurred comparing includes comparing a 
number of occurrences of the file in the archive index with a threshold. 

9. (Canceled) 

10. (Canceled) 

11. (Canceled) 

12. (Canceled) 

13. (Currently Amended) A method for protecting a computer environment as recited in 
Claim 1, further comprising determining a priority of the a security incident if it is determined 
that a s e curity incid e nt associat e d w f ith a correlation exists between the first event and the second 
event has occurred . 

14. (Original) A method for protecting a computer environment as recited in Claim 1, further 
comprising determining a degree of unusualness for the first event. 

15. (Currently Amended) A method for protecting a computer environment as recited in 
Claim 1, further comprising determining a degree of unusualness for the first event and 
determining a priority of the a security incident based on the degree of unusualness. 

16. (Canceled) 
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17. (Currently Amended) A method for protecting a computer environment as recited in 
Claim 1, wherein the index includes an archive index that includes a file signature. 

18. (Currently Amended) A method for protecting a computer environment as recited in 
Claim 1, wherein the index includes an archive index that includes file revision information. 

19. (Currently Amended) A method for protecting a computer environment as recited in 
Claim 1, wherein the index includes an archive index is stored in a database. 

20. (Currently Amended) A method for protecting a computer environment as recited in 
Claim 1, wherein the index includes an archive index is stored in an extensible markup language 
(XML) file. 

21. (Currently Amended) A method for protecting a computer environment as recited in 
Claim 1, wherein the archive index is cached. 

22. (Currently Amended) A system for protecting a computer environment, comprising: 

a processor configured to provide an archive index that includes for each 
of one or more stored objects a corresponding archive index entry indicative of a state of 
the stored object at an archive time with which the entry is associated , compare a first 
e v e nt with the archive index a system index generated at a system index time subsequent 
to the archive time , det e rmin e wh e th e r th e generate based on the comparison a first event 
is unusual if the comparison indicates that a first stored object associated with the system 
index has been modified since the archive time, and determine whether a security 
incid e nt associat e d with correlation exists between the first event and a second event 
generated in connection with a monitoring process associated with the computer 
environment has occurr e d ; and 

a memory coupled with the processor, wherein the memory is configured 
to provide the processor with instructions. 

23. (Currently Amended) A computer program product for protecting a computer 

environment, the computer program product being embodied in a tangible computer readable 
storage medium and comprising computer instructions for: 
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providing an archive index that includes for each of one or more stored 
objects a corresponding archive index entry indicative of a state of the stored object at an 
archive time with which the entry is associated ; 

comparing a first e v e nt with the archive index a system index generated at 
a system index time subsequent to the archive time ; 

d e t e rmining wh e th e r th e generating based on the comparison a first event 
is unusual if the comparison indicates that a first stored object associated with the system 
index has been modified since the archive time ; and 

determining whether a s e curity incid e nt associat e d with correlation exists 
between the first event and a second event generated in connection with a monitoring 
process associated with the computer environment has occurr e d . 
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